policy

package

v0.4.1 Latest Latest Go to latest Published: May 12, 2026 License: MIT Imports: 6 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/inhuman/mcp-multiplexer

Links

Open Source Insights

Documentation ¶

Overview ¶

Package policy provides ready-made BeforeCallHook and AfterCallHook builders for common call-control patterns. Import alongside github.com/inhuman/mcp-multiplexer; no additional dependencies are required.

Available builders:

DenyDestructive — rejects any tool marked as destructive before the RPC.
RequireRoles — enforces role-based access by reading roles from the context.
RateLimit — per-(server, tool) token-bucket rate limiting.
AuditLog — logs every call outcome via an injected mcpx.Logger.

Hooks compose naturally with mcpx.WithBeforeCall and mcpx.WithAfterCall and chain in registration order.

Index ¶

func AuditLog(logger mcpx.Logger) mcpx.AfterCallHook
func DenyDestructive() mcpx.BeforeCallHook
func RateLimit(per time.Duration, burst int) mcpx.BeforeCallHook
func RequireRoles(roles ...string) mcpx.BeforeCallHook
type ContextKey

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func AuditLog ¶

func AuditLog(logger mcpx.Logger) mcpx.AfterCallHook

AuditLog returns a mcpx.AfterCallHook that logs every call outcome via logger. On success it logs at Info level; on error at Error level. Args and result text are never logged. duration is included in the log fields.

func DenyDestructive ¶

func DenyDestructive() mcpx.BeforeCallHook

DenyDestructive returns a mcpx.BeforeCallHook that rejects any call where mcpx.ToolInfo.Destructive is true. Non-destructive tools pass through.

func RateLimit ¶

func RateLimit(per time.Duration, burst int) mcpx.BeforeCallHook

RateLimit returns a mcpx.BeforeCallHook that enforces a per-(server, tool) token-bucket limit. burst tokens are available immediately; one additional token is earned every per duration. Safe for concurrent use.

func RequireRoles ¶

func RequireRoles(roles ...string) mcpx.BeforeCallHook

RequireRoles returns a mcpx.BeforeCallHook that allows the call only when the context value at RolesKey (a []string) contains at least one of the required roles. Passing an empty roles list means no caller is ever allowed.

Types ¶

type ContextKey ¶

type ContextKey string

ContextKey is the type for context keys defined by this package.

const RolesKey ContextKey = "mcpx-policy-roles"

RolesKey is the context key under which RequireRoles looks for the caller's roles. The value must be []string. Set it via:

ctx = context.WithValue(ctx, policy.RolesKey, []string{"admin"})

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL